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A SIMPLE GENERALIZATION OF THE ELGAMAL 
CRYPTOSYSTEM TO NON-ABELIAN GROUPS II 

AYAN MAHALANOBIS 

Abstract. This is a study of the MOR cryptosystem using the special 
Unear group over finite fields. The automorphism group of the special 
linear group is analyzed for this purpose. At our current state of knowl- 
edge, I show that the MOR cryptosystem has better security than the 
ElGamal cryptosystem over finite fields. 



1. Introduction 

The MOR cryptosystem is a generalization of the ElGamal cryptosystem, 
where the discrete logarithm problem works in the automorphism group of 
a group G, instead of the group G itself. The framework for the MOR 
cryptosystem was first proposed in Crypto2001 by Paeng et al. fT3^. Ma- 
halanobis LI 01 used the group of unitriangular matrices for the MOR cryp- 
tosystem. That effort was successful, the MOR cryptosystem over the group 
of unitriangular matrices became as secure as the ElGamal cryptosystem 
over finite fields. 

In this paper I offer another MOR cryptosystem, this time using the group 
of unimodular matrices. More precisely Sh{d, q), the special linear group 
of matrices of degree d over the finite field Fg is used. Since the automor- 
phisms for the special linear group and the projective special linear group 
are the same and so is the structure of their automorphism group, everything 
I say about the special linear group can be said about the projective special 
linear group too. 

In this MOR cryptosystem, I am working with matrices of degree d over 
¥q. To encrypt(decrypt) a plaintext(ciphertext) one works over the field Wq. 
To break this cryptosystem one has to solve a discrete logarithm problem 
in F d2 . Even for a small integer d, this provides us with a considerable 
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security advantage. This is the central idea I am trying to "market" in this 
paper. 

There are some challenges in implementation of this cryptosystem. Im- 
plementing matrix multiplication is hard. Though we have not reached the 
optimum speed for that iH, it might always stay harder than multiplication 
in a finite field. So one needs to find an optimum strategy to present the 
automorphisms and the underlying group for the MOR cryptosystem, see 
Section 8 for more details. 

At the end I provide parameters for the proposed MOR cryptosystem. 
I suspect that the parameters are too conservative and the degree of the 
matrix is unnecessarily big. The overly conservative estimates are to show 
that for chosen parameters, the MOR cryptosystem is almost as good as 
the ElGamal cryptosystem over elliptic curves (in terms of security); the 
golden standard in public key cryptography. For most practical purposes, 
the degree of the matrix can be chosen smaller. 

It seems that the MOR cryptosystem is a gold mine for cryptography. 
There are definitely groups out there for which the cryptosystem is secure. 
There are two kinds of automorphisms for a group G, one that acts by con- 
jugation and the other that does not. In this paper I refer to them as A and 
B respectively. For SL(d, q) the size of B became very small and so we had 
to rely on the the automorphisms from A only. However, if we can find 
groups where B is large, then those groups might provide us with a secure 
MOR cryptosystem; in which the security can not be reduced to the discrete 
logarithm problem in a finite field. 

There are many important aspects to a public key cryptosystem. Some of 
those are: 

i: "Provable Security" or semantic security. 

ii: Fast and secure implementation of the cryptosystem. 

iii: Security of the underlying cryptographic primitive. 

In this paper we make no attempt to study the "provable security" of this 
MOR cryptosystem. I provide parameters and study implementation of this 
MOR cryptosystem; however, the major emphasis of this paper is the com- 
putational security of the MOR cryptosystem, i.e., security of the underly- 
ing cryptographic primitive. 
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2. The MOR cryptosystem 



This section contains a bare-bone description of the MOR cryptosys- 
tem (T3\, see also [|T2l . A description and a critical analysis of the MOR 
cryptosystem is also in [fTOll and the references there. 

2.1. Description of the MOR cryptosystem. Let G = {gi,g2, ,9t), 

r G N be a finite group and (p a non-trivial automorphism of G. Alice's 
keys are as follows: 

Public Key: {(p{g^)}U and {(|>"'{9^)}U' meN. 
Private Key: m. 

Encryption. 

a: To send a message (plaintext) a E G Bob computes 0^ and 0™'" for 

a random r G N. 
b: The ciphertext is ({0''(c/i)}[=i , ^'"''(a)). 

Decryption. 

a: Alice knows m, so if she receives the ciphertext (0^, 0™'"(a)), she 
computes cp™' from <j)^' and then <j)^™' and then from 0'"''(a) com- 
putes a. 

Alice can compute 0~™^ two ways; if she has the information necessary 
to find out the order of the automorphism then she can use the identity 
0*~^ = 0"^ whenever 0* = 1. Also, she can find out the order of some 
subgroup in which belongs and use the same identity. However, smaller 
the subgroup, more efficient the decryption algorithm. 

2.2. MOR cryptosystem as a generalization of the ElGamal cryptosys- 
tem. Let G = (g) be a finite cyclic group of order n written additively; then 
one can define cj) : g ^ kg for some /c G N. In this case (p^ : g k^g; 
since is a public information, the public information of and 0"^ is iden- 
tical to the public information of k mod n and k"' mod n. So the discrete 
logarithm problem in the automorphism group of G, i.e., given and 0™ 
find m reduces to given k mod n and mod n find m. This is the 
discrete logarithm problem fTH Chapter 6]. This clearly shows that the 
MOR cryptosystem as defined above is a straight forward generalization of 
the ElGamal cryptosystem |[T8l Cryptosystem 6.1] from a cyclic group to a 
non-abelian group. 
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3. The unimodular group of degree d over 

The group SL((i, q) is the set of all matrices of degree d with determinant 
1. It is well known that SL((i, q) is a normal subgroup of GL{d, q) the group 
of non-singular matrices of degree d over F^. In this article I consider Fg to 
be a finite extension of the ground field Zp of degree 7 where 7 > 1. 

Definition 1. For distinct ordered pair define a matrix unit j as a 
matrix of degree d, such that, all entries in ^ are 0, except the intersection 
of the i'*^ row and the column; which is 1 (the identity in the field F^). 
Matrices of the form 1 + Acjj, A G F^, are called the elementary matrices 
or elementary trans vections. Here 1 is the identity matrix of degree d. I 
shall abuse the notation a little bit and use 1 for the identity of the field and 
the matrix group simultaneously. 

It is known that the group SL((i, q) is generated by elementary transvec- 
tions [fT4l Theorem 8.8]. The fundamental relations for the elementary 
transvections are the relations in the field and the ones stated below: 

{1 + A/iCj,; if j = k, i^l 
1 - X^iCkj if i = I, j k 
1 otherwise 

(2) (1 + Xcij) (1 + yUCij) = 1 + (A + ^) Cij 

(3) (1 + Ae,,,)-' = (1-Ae,j) 

(4) (1 + Xcij)'' = 1 + kXcij keN 

where A, /i G F^. 

4. Automorphisms of the unimodular group over Fg 
It is well known that the automorphisms of Sh{d, q) are the following [|3l 

mm-. 

Diagonal Automorphism: This is conjugation by a non-scalar diag- 
onal matrix. Notice that: since diagonal matrices are not of deter- 
minant 1, the diagonal matrices are not in Sh(d, q). So a diagonal 
automorphism is not an inner automorphism. 

Inner Automorphism: This is the most well known automorphism of 

a non-abelian group G, defined by a; 1-^ g^^xg for g E G. 
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Graph Automorphism: The graph automorphism induces the map 
A H-> (y4~^)^, A G SL{d,q). Clearly, graph automorphisms are 
involutions, i.e., of order two and are not inner automorphisms. 

Field Automorphism: This automorphisms is the action of a field au- 
tomorphism of the underlying field to the individual entries of a ma- 
trix. 

In this section I am interested in a special class of inner automorphisms, 
"permutation automorphisms". For a permutation automorphism the con- 
jugator g in the inner automorphism is a permutation matrix. It is well 
known that for a permutation matrix P, det(P) = ±1 and P^^ = P^ . The 
permutation matrix is constructed by taking the identity matrix 1 and then 
exchanging the rows based on some permutation a. If the permutation a 
is even then the determinant of P is 1 otherwise it is —1. Note that if the 
determinant is —1, then conjugation by that permutation matrix is not an 
inner automorphism; but it is close to being one and I will treat it like an 
inner automorphism in this paper. 

4.0.1. Effect of a permutation automorphism on an elementary transvec- 
tions. If A is an elementary transvection, i.e., A = 1 + Acj j and P be a 
permutation matrix, then P^^AP = 1 + Xea~i(i),a-^{j)- 

4.0.2. Effect of a diagonal automorphism on an elementary transvection. 
Let D = [toi, • • • iWdi be a diagonal matrix. If A = 1 + Ae^j then 
D~^AD = 1 + {w~^\wj)eij. Let us fix a such that I < i, j < d, 
then look at the root subgroup (1 + Xcij), A G F^. This subgroup is clearly 
isomorphic to F+. 

Assume for a moment that I am using the MOR cryptosystem as de- 
scribed in Section [2n with G as the root subgroup defined above and as a 
diagonal automorphism. Then clearly for some k e¥^ . 

(p : 1 + Cjj (-^ 1 + kcij 

Clearly we see that this MOR cryptosystem is identical to the ElGamal 
cryptosystem over finite fields. Since SL(d, q) is generated by elementary 
transvections, I claim that using the diagonal automorphisms of the special 
linear groups over finite fields, the MOR cryptosystem is identical to the El- 
Gamal cryptosystem over finite fields. It is reasonable to assume that there 
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are other automorphisms, composition of which with the diagonal automor- 
phisms will provide us with better security. 

4.0.3 . The effect of the graph automorphism on an elementary transvection. 
It is easy to see from the definition of the graph automorphism that \i A = 
1 + Acjj then {A^'^Y = 1 ~ 

4.0.4. The effect of field automorphisms on an elementary transvections. It 
is well known that the field automorphisms form a cyclic group generated 
by the Frobenius automorphism of the field F^, given by A ^— A^, where p 
is the characteristic of the field ¥g. Then the action of field automorphism 
on an elementary transvection is 1 + Xcij ^-^ 1 + X^'cij where 1 < z < 7. 

5. MOR WITH MONOMIAL AUTOMORPHISMS 

Assume for a moment that I am only using the composition of a diago- 
nal and an inner automorphism of SL(d, q), i.e., I am using MOR (Section 
12.11) where = 0i o 02 where 0i is a diagonal automorphism and 02 is a 
permutation automorphism. Then clearly is a monomial automorphism, 
conjugation by a monomial matrix. The diagonal automorphism 0i changes 
1 -|- Cij to 1 + XijGij for some Xij E F^. Note that the Aj ^ depends on the 
diagonal automorphism and once the diagonal automorphism is fixed Xij is 
also fixed for a particular {i, j). The permutation automorphism 02 changes 
1 + XijCij to 1 + Xijei3(i)^p(j) where (3 = a^^. Here a is the permuta- 
tion that gives rise to the permutation matrix P, used in the permutation 
automorphism. 

I now look at the action of the exponentiation of the automorphism = 
01 o 02 on the elementary transvection 1 + e^j . Notice that if 

^K\ 1 diagonal , permutation , 

P; (p-l + eij > l + AijCij > 1 + Aije/3(j),/3(j), 

then 



m 



(6) 0™ : 1 + > 1 + n ^fi{t)P'(j)(^li"'(i),P"'(j) 

1=0 

Now let us assume that the order of /5, o(/5) = v then 

V 

0'' : 1 + ^^ 1 + JJ \(ii(i)fin^j)ei,y 
1=0 

This shows that a cycle is formed and if u < m, then this reduces the dis- 
crete logarithm problem in (0) to a discrete logarithm problem in the finite 



field ¥g. Though it is well known that in the symmetric group Sn, acting 
on n points, one can get elements with very high order. In our problem I 
am actually interested in the length of the orbit formed by the action of a 
cyclic subgroup of Sn, generated by /?, on the set of distinct ordered pair of 
{1, 2, . . . , n}. It is known that these orbits are quite small. 

Since the permutation (3 is easy to find from the public information cj) and 
0™, unless the degree of the matrix d is astronomically big, we do not have 
any chance for a MOR cryptosystem which is more secure than that of the 
ElGamal cryptosystem over finite fields. 

Since the conjugacy problem is easy in GL((i, q), from the public infor- 
mation of 01 and 02 one can compute the conjugator monomial matrices for 
01 and 02 modulo an element of the center of GL((i, q). I shall come back 
to this topic later (Section 7.2) in more details. 



6. Structure of the automorphism group of SL(d, q) 

Let us start with a well known theorem describing the structure of the 
automorphism group of SL(d, q). Let A be the group of automorphisms 
generated by the diagonal and the inner automorphisms and B be the group 
generated by the graph and the field automorphisms. Recall that the center 
of the group GL{d, q) is the set of all scalar matrices Al where A G and 
1 is the identity matrix of degree d. I shall denote the center of Gh{d, q) by 

Z and the projective general linear group — ^ — by PGL((i, q). 

A brief warning about the notation. To increase readability of the text, 
from now on, the image of a under / will be denoted either by or by 
/(a). Also, I might denote the conjugation of X by A as X"^. 

Theorem 6.1. The group A is isomorphic to PGL((i, q) and Aut(SL((i, q)) 
is a semidirect product of A with B. 

Proof. From Theorem 2.12] we know that any element in GL((i, q) is 
generated by the set consisting of all invertible diagonal matrices and all 
trans vections. Then we can define a map F : GL{d, q) ^ A defined by 
F{A) maps X ^ X^, clearly F is an epimorphism and Ker(F) = Z. 
From first isomorphism theorem we have that PGL((i, q) = A. 

We are left to show that Aut(SL((i, q')) is a semidirect product of A 
with B. To prove this we need to show that ^ is a normal subgroup of 
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Aut {SL{d, q)) and Aut(SL((i, q)) = AB. Notice that any f e B is an auto- 
morphism of Gh{d, q). With this in mind we see that for A G GL((i, q) and 
X e SL(rf,g) 

X^^f-' = f {A-'f-\X)A) = f{A)-'Xf{A) = Xf^-^\ 

This proves that ^ is a normal subgroup of Aut(SL((i, q)). Now notice that 

for any f E B, A'^X^A = ({A-yXAf''Y, where A E GL{d,q). 



This proves that we can move elements of B to the right of the product of 



Now notice that the order of A is actually big, it is q 2 (g'^ _ 1) . . . (g _ 
2) but the order of ^3 is small. The group B is the direct product of the graph 
and field automorphisms. The order of B is 27, where 7 is the degree for 
the extension Fg over the ground field. Let 71 = 27. 

Let (j) and 0'" be as in Section 12. 1[ then from the previous theorem (p = 
Aipi and 0"^ = A'tp2, where A, A' E A and V^i, ■02 E B. I shall consider 
A E A as the conjugator as well, this is clearly the case because A = 
FGL{d,q). 

Now if = AiIji, then 0™ = AA^^ ■ ■ ■ A^^'^ A^"^'' ip"^ . In this case 
AA^' ■ ■ ■ A^^~'A^T~' e a and 7/;™ E B. 

Now if 7i < m and since the order of 'ipi divides 71, there are ri and 
r2 such that m — 1 = ki'ji + ri, where < ri < 71 and r2 = m 
mod 7i. Then AA^^ ■ ■ ■ ^'^""Vr = A'l^AA^^ ■ ■ ■ A'^i' where Ai = 
AA^'^ ■ ■ ■ A'^'^^ . From the information of and 0™ we then have the in- 
formation of ^1 and ipi^. For all practical purposes of implementing this 
cryptosystem, the degree of the field extension cannot be too large, in this 
case one can do a exhaustive search on the cosets of A and find out tpi and 
ipl'^ and do another exhaustive search to solve the discrete logarithm prob- 
lem in tpi and find the r2. The information of r2 gives us a vital information 
about the secret key m. This is clearly unacceptable. So the only way out 
of this situation is not to use automorphisms from B. 

Then for X E SL((i, q) the automorphisms and 0™ as in Section [ZTI is 
given by 

(7) 0(X) = A-^XA for some A E GL(d, q) 



automorphisms. This proves our theorem. 



(8) 



0™(X) =A'-^XA' for some A' e GL((i, g) 
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Now notice, in the description of the MOR protocol, we presented the auto- 
morphisms as action on generators and furthermore a set of generators for 
SL{d, q) are the elementary transvections. 

In this case from the public information of and 0"* one can find A and 
A'. This problem is known to be easy in GL((i, q) and is often refereed to 
as the special conjugacy problem [fT2l[T3l . However, notice that A and A' 
are not unique. For example, if A and A' satisfy the above equations then 
so will Az and A'z' for any z,z' E Z, see Section ItTI 

We just saw that the only way to build a secure MOR cryptosystem using 
SL{d, q) is using automorphisms from A. Henceforth, whenever we are 
talking about the MOR cryptosystem, we are using the group SL(d, q) and 
the automorphisms from A. 

1. Security of the proposed MOR cryptosystem 

This paper is primarily focused on the discrete logarithm problem in the 
automorphism group of a non-abelian group. There are two kinds of attack 
on the discrete logarithm problem over finite fields. One is the generic 
attack, this attack uses a black box group algorithm and the other is an index 
calculus attack. 

Since the black box group algorithms work in any group, they will work 
in the automorphism group too, see [9, Theorem 1]. We have no way to 
prevent that. On the other hand, these generic attacks are of exponential 
time complexity and so is of the least concern. 

The biggest computational threat to any cryptosystem using the discrete 
logarithm problem is the subexponential attack like the index calculus at- 
tack ifTSl . It is often argued BHIlQ that there is no index calculus algorithm 
for the elliptic curve cryptosystem that has subexponential time complex- 
ity. This fact is presented often to promote elliptic curve cryptosystem over 
a finite field cryptosystem i8J. So, the best we can hope from the present 
MOR cryptosystem is that there is no index calculus attack or the index 
calculus attack becomes exponential. There are three issues with a MOR 
cryptosystem: 

7.1. Membership Problem. Please refer back to Equations |7] and [8l We 
know that solving conjugacy problem (special conjugacy problem) is easy 
in GL((i, q) but the solution is not unique. If I fix A, then to solve the 
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discrete logarithm problem, I need to find A™. This means that I must find 
that A! for which A' G (A) . 

Notice that, the public information of the automorphisms and 0™, is its 
action on a set of generators of SL(d, g), viz. the set of elementary transvec- 
tions. To find A and A', the adversary needs to compute the image of and 
0™ on some X E Sh{d, q). Then the adversary sees A and A'^XA. Now 
for some centralizer F of X in SL(d, q), {YA)-^X{YA) = A'^XA. So 
there is no unique solution to the equation, given X and A^^XA, find A. 
There are many solutions to that, all elements of the center will be contained 
in the centralizer. The practical solution is even more complicated, because 
one needs to find A and A' in the same ambiguous way. 

Notice that for any X G Sh{d, q), X'- , I E N is contained in the central- 
izer. So if we can find a X G Sh(d, q), which is an involution (order 2) 
with small centralizer, then there is a real possibility that this MOR cryp- 
tosystem will become as secure as the DLP in F^. In that case the security 
of this cryptosystem will be the same as working with non-singular linear 
transformations of a finite dimensional vector space over a finite field. 

7.2. Inner automorphisms as matrices. As it turns out the only way that a 
secure MOR cryptosystem might work for the unimodular group is through 
conjugation of matrices, i.e., automorphisms from A. This MOR cryptosys- 
tem can be seen as working with inner automorphisms of G'L(d, q) . It is well 
known that the inner automorphisms work linearly on the c?^ -dimensional 
algebra of matrices of degree d over ¥g. For a fixed basis, any linear op- 
erator on a vector space can be represented as a matrix. So, the discrete 
logarithm problem on {(f)) (Section [O]) is now reduced to the discrete log- 
arithm problem in GL(d^, qj^. The question is, how easy is it to solve this 
discrete logarithm problem? 

The best algorithm for solving the discrete logarithm problem in GL(A;, q) 
was given by Menezes and Wu [fTTIl . In this case the authors show that for 
X,Y E GL(A;,g), such that, X'' = Y, I E N; we can solve the discrete 
logarithm problem if x{x) the characteristic polynomial of X factors into 
irreducible polynomials of small degree. If the characteristic polynomial 



I am making an optimistic assumption that the reduction can be actually carried out. 
The reason I say that is, the automorphisms are presented as action on generators of 
SL{d, q). However, I do not know any basis for the matrix algebra that belong to SL{d, q). 
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is irreducible then the discrete logarithm problem in {X) reduces to the 
discrete logarithm problem in W^k . 

In our case we are working in Gh{(f ,q). So the characteristic polynomial 
has degree (f. It is easy to see that if the characteristic polynomial is irre- 
ducible then the extension of the lowest degree in which the characteristic 
polynomial will split is ¥^^2 . 

The expected asymptotic complexity of the index calculus algorithm in 
Fgfe isexp ^(c + o(l))(logg'^)^(loglogg^)i j , where c is a constant, see IfTSl 

and im Section 4]. If the degree of the extension, k, is greater than log^ q 
then the asymptotic time complexity of the index calculus algorithm is ex- 
ponential. In our case that means if c? > log q then the asymptotic complex- 
ity of the index calculus algorithm becomes exponential. 

If we choose d > log q then this MOR cryptosystems becomes as se- 
cure as the ElGamal over the elliptic curve groups because then the index 
calculus algorithm becomes exponential; otherwise we can not guarantee. 
But on the other hand in the proposed MOR cryptosystem encryption and 
decryption works on and breaking the cryptosystem depends on solving 
a discrete logarithm problem on F ^2 . Since, implementing the index calcu- 
lus attack becomes harder as the field gets bigger, it is clear that if we take 
d <^ log q, then the MOR cryptosystem is much more secure than the ElGa- 
mal cryptosystem over F^. I shall go in details about choice of parameters 
in Section 8.2. 

8. Implementation of this MOR cryptosystem 

The cryptosystem we have in mind is the MOR cryptosystem (Section 
12.11) . the non-abelian group is Sh(d, q) and the automorphisms are the auto- 
morphisms from A. In this implementation the most important thing will be 
the presentation of cj) and 0"*. We decided earlier that the presentation will 
be the action of the automorphisms on a set of generators {gi,g2^ • • • , fi'r}- 
Now we can write 4'{gi) as a word in the generators gfi, (72, • • • , fi'r or we can 
write the product of the generators as a matrix. We choose the later, there 
are two reasons for that: 

: This will contain the growth in the length of the word, especially 
while computing the powers of (p. That will stop any length based 
attack. 

: This will add to the diffusion. 
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The set of generators for SL(rf, q) that we have in mind is the elemen- 
tary trans vections. It is easy to go back and forth as words in elementary 
transvections and matrices using row reduction. 

A big question is how to compute large powers of (p efficiently? This is 
not the object of study for this paper and we will be brief on this topic. 

Since a set of generators are elementary transvections, computing the 
power of (p can be done using only words in elementary transvections and 
the image of the automorphism on these elementary transvections. This 
can be done very efficiently. However, we have decided to write (j)^{gi) 
as matrices. So, while computing the power of (p, one might have to go 
back and forth between words and matrices. The objective of this exercise 
is to reduce the amount of matrix multiplication, in computing the power of 
(p. Also, one can use the relations among the elementary transvections to 
shorten the length of the word. There are quite a few options available. 

We explore one such option in more details. Assume that we are com- 
puting the 0™ using the square and multiply algorithm [jlSi Algorithm 5.5]. 
In this algorithm one needs to multiply two group elements, in our case it 
is composing two automorphisms. So, we need to find out the worst-case 
complexity for multiplying two automorphisms. I further assume that the 
automorphism is given as the image of (1 + j), i ^ e {1,2, ... ,d}, 
the image is one d x d matrix. So for sake of notational convenience I as- 
sume that we are squaring (p, where (p is given by the action on elementary 
transvections. As is customary we assume that the field addition is free and 
we count the number of field multiplications necessary to do the computa- 
tion. 

Let's start with the matrix M such that M = (1 + e^j), I shall use row 
operations to write M as product of elementary transvections. We count 
each row operation as d field multiplications and there are utmost d"^ row 
operation. So in the worst case after d^ many field multiplication we have 
written M as a product of elementary transvection. At most there are d'^ 
many elementary transvections in the producj^. 

Using the relation in Equation [2l we split each transvection into product 
of elementary transvections over the ground field. So now there are 



^Some small examples computed by the author using GAP [6) suggests that in practice 
this number is much smaller. 
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elementary transvections over the ground field, for each of which the im- 
age under is known. Then the image under (p is computed and then and 
then there are (p — l)'yd'^ elementary transvection. The question is how to 
compute the matrix corresponding to that? I propose the following: 

There are utmost {p — l)'jd'^ elementary transvections in the product of 
(f){M). Make d equally spaced partition of the product of (j){M). Then each 
one of these partitions can have utmost (p— l)'yd^ elementary transvections. 
Now we multiply the (p — l)'yd^ elementary transvections to get d many 
matrices and them multiply these d many matrices to get the final matrix 
corresponding to 0^ (1 + Cij). Now we multiply the (p — l)'jd^ elementary 
transvections linearly, one after the other, and use the relations in Equations 
[U and [2] . Notice that one of the components in this multiplication is an 
elementary transvection. So every multiplication can take utmost d many 
field multiplication. So the total complexity of multiplying (p — 1)7^^ many 
elementary transvections is (p — l)'yd'^. Since different partitions can be 
multiplied in parallel, we assume that the worst-case complexity is (p — 
l)jd'^ field multiplications. 

Now we have to multiply the d many matrices thus obtained. We assume 
that we use a straight line program to compute the product. Assuming that 
matrix multiplication can be done in d^ field multiplication, we see that this 
also requires d'^ field multiplications. Since we can compute 0^ (1 + Cij) in 
parallel for different i and j, we claim that we can multiply two automor- 
phisms with worst-case complexity (p — l)'jd'^ + d'^ field multiplications. 

8.1. Parameters for the cryptosystem. We realized that if the conjugator 
A in (p (Equation |7]) is a monomial matrix then that prevents the forma- 
tion of a discrete logarithm problem in the A of an elementary transvection 
1 + Acj J . We need the inner automorphism so that the attack due to small 
cycle size of the permutation in the monomial matrix can be avoided. So we 
have to take the automorphism as conjugation by A G Gh{d, q). The char- 
acteristic polynomial out of represented as a matrix in Gh(d'^, q) should 
be irreducible. 

The size of d and q is an open question. With the limited amount of 
knowledge we have about this cryptosystem, we can only make a prelimi- 
nary attempt to encourage further research. The current standard for secu- 
rity in the public key cryptography is 80-bit security. This means that the 
best known attack to the cryptosystem should take at least 2^° steps. 
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The best known attack on the discrete logarithm problem in the matrices 
A and A' (Equations |7] and [8]) is the generic square root attack. So we have 
to ensure that to find m from A and A' one needs at least 2^^ steps. For an 
attack algorithm we assume that computing in ¥g and in Gh{d, q) takes the 
same amount of time. The field should be of size 2^^^^. So there are two 
choices for q, take g to be a prime of the order 2^^°, i.e., a 160 bit prime; or 
takeFg = F2160. 

A similar situation arises with the discrete logarithm problem over the 
group of an elliptic curve over a finite field. The MOV attack reduces the 
discrete logarithm problem in the group of the elliptic curve over Fg to a 
discrete logarithm problem in F^^. for some positive integer k. This is of 
concern in the implementation of the elliptic curve cryptosystem, because 
if k is too small then there is an subexponential attack on the elliptic curve 
discrete logarithm problem. On the other hand the size of the elliptic curve 
group is almost as big as the field. To prevent the square root attack the size 
of the field has to be considerably higher. Once you assume that the field is 
of appropriate size (2^^°), small k provides adequate security. Our case is 
quite similar. 

Koblitz et al. |f8l Section 5.2] mentions that in practice A; 20 is enough 
for security. If we buy their argument, then it would seem that one can 
choose d to be a around 7. We suspect that one might be able to go even 
smaller. In our MOR cryptosystem, Menezes-Wu algorithm reduces the 
discrete logarithm problem in F^^a . 

So we propose d = 7, and q is as described earlier. Then we see that if 
q = 2^^°, then we are talking about a discrete logarithm problem in F27840. 
This clearly surpasses every standard for discrete logarithm problem over 
finite fields. At this size of the field, it does not matter if the index-calculus 
is exponential or sub-exponential. It is simply not doable. 

8.2. Generators for the cryptosystem. The question I raise in this section 
is, are their better generators than the elementary transvections in Sh{d, q)l 
We saw that if we use the elementary transvections for a prime field, then 

^The size of the field is motivated by the use of similar field in elUptic curve cryptogra- 
phy. For elliptic curves, the choice depends on the fact that the size of the group of rational 
points on an elliptic curve is roughly the size of the field. In our case, there are matrices 
of high order in GL{d, q). So the field can be chosen smaller, depending on the matrix we 
choose to use. 
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one needs (cP — d) elementary transvections and {d'^ — d)'y elementary 
transvections for ¥q where q = p"'. 

This is one of the major problems in the implementation of this cryp- 
tosystem. We now try to solve this problem for Sh{d,p), where p is a 
prime. In this MOR cryptosystem (Section 12.11) . generators play a major 
role. There are some properties of the generators that help. Two of them 
are: 

i: There should be an efficient algorithm to solve the word problem in 
these generators. 

ii: Less the number of generators of the group, better is the cryptosys- 
tem. 

Albert and Thompson [[T| provides us with two generators for SL{d, q). 
They are 

C = 1 + aed-1,2 + ed,i 
D = (-1)'' (^ei,2-e2,3 + i:e,,i+i^ 

where a is a primitive element of Fg. It is clear from the proof of [[II Lemma 
1] that to solve the word problem in these generators one has to solve the 
discrete logarithm problem in ¥q. This is clearly not useful for our cause. So 
we adapt the generators and extend it to show that for these generators one 
can compute the elementary transvections. Since the number of generators 
is 2, this gives us an advantage for the presentation of the public key and the 
ciphertext over elementary transvections. However, I know of no efficient 
algorithm to solve the word problem in these generators. If we can find one 
such algorithm then it can be argued that this cryptosystem would become 
more economical(efficient). 

I now prove a theorem which is an adaptation of (T, Lemma 1]. I use the 
convention used by Albert and Thomson, 

The proof of this lemma is practically identical with the proof of [[B Lemma 
1]. I include a short proof for the convenience of the reader and some of the 
formulas we produce in the proof are useful for implementation. 
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Theorem 8.1. Let 

C = 1 + ed-1,2 + ed,i and D = (-l)*^ ^ei,2 - 62,3 + 6^,^+1 j 

be elements of SL{d,p) where d> 5. Then C and D generates SL{d,p). 

Proof. Let Go be the subgroup of SL{d,p) generated by C and D. I will 
now write down a few formulas, which follows from direct computation. 
For 2<k<d — 2'we have 



(9) D-^^ 62,1-63,2 + J] e^+M 

V i=3 J 

(10) Ci = D-^CD = 1 - ed,3 + ei,2 

(11) CC,C-'C^'^ l + e,,2 

(12) D*^ = (-1)* ^-ei,i+fc - e2,2+fc + J2 ^v+fc^ 

(13) L'-'^ = (-1)* ( -ei+fe,i - e2+fc,2 + 

(14) Ck = D-'^CD'^ = 1 - efc_i,fc+2 - efe,fe+i 

(15) C^^ = 1 + eA;-i,fc+2 + ek,k+i 

(16) (1 + ed,fc) Ck (1 - ed,fc) = 1 - ed,k+i 



From Equation (11) we see that 1 + 6^ 2 belongs to Go and then we use 
mathematical induction on k and Equation (16) proves that l + Cd^k £ Go for 
A; = 2, . . . , d - 1. Also D~'^ (1 + ed,d-i) D"^ = 1 + 62,1 G Go- Furthermore 
[1 + 6^,2, 1 + 62,1] = 1 + 6^,1. This proves that 1 + ed,k e Go for k = 
1, 2, . . . , d — 1. Then we can use the relations in SL{d,p) to prove that 
l + Cij e Go for i, j e {1, 2, . . . , d} and i ^ j. This proves the theorem. • 

The proof of the theorem is constructive. It gives us a way to compute 
the elementary transvections from these generators of Albert and Thomson; 
one can use them effectively to publish the public key. There will be some 
precomputation involved to change the action of (f) from these generators to 
elementary transvections. 
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9. Conclusions 



This paper studies the MOR cryptosystem for the special linear group 
over finite fields. Cryptography is primarily driven by applicability. So it is 
natural to ask, how efficiently can one implement this MOR cryptosystem? 
How secure is the cryptosystem? I talked in details on both these issues 
in Sections 8 and 7 respectively. These are often hard questions to answer 
from a preliminary investigation. The worst case complexity is often far off 
from the actual cost of computation and security in itself is a very elusive 
concept. We now offer some realistic expectations on the computational 
cost of this MOR cryptosystem when q = 2"'. 

From the small experiments we did, it seems reasonable to assume that 
a randomly chosen element of SL(rf, q) is generated by approximately d 
elementary trans vections, not cP elementary trans vections. This story is 
also corroborated by the proof of the previous theorem, where we show 
that SL((i,p) is generated by all trans vections of the form 1 + ed,k, k = 
1, 2, . . . , (i — 1 and by Humphries [|71. 

Then we need to compute the image of these d elementary transvec- 
tions under the automorphism 0. For that we need to split each elemen- 
tary transvections into product of elementary transvections over the ground 
field using Equation |2l Then in the worst case we now have •jd elementary 

transvections. But since in any random binary string of length 7 on aver- 

7 

age there are utmost — ones. So a more realistic expectation of the number 

7 

of transvections is —d. Using the same expectation as before the image of 

7 

these transvections under cj) will be a string of —d"^ elementary transvections. 
Now if we use a straight line program, i.e., use the elementary transvections 

to multiply the one next to it to form the matrix, then the worst case com- 

7 

plexity will be — rf'^ field multiplication. However, in reality that complexity 

7 \ 

will be something like —d where 2 < A < 3. So it is safe to assume that 
in practice A will be around 2.5. 

With all this understanding we can say that if g is a field of characteristic 
2 and degree 7, then composition of two automorphisms require around 

d' + ^^2.5 

field multiplications. 
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Now notice that if I was working with a finite field ¥gd, then the naive 
product of two non-zero field element costs around (P field multiplications. 
We are quite close to that. Moreover the security we get is discrete loga- 
rithm problem in a finite extension of F^d. This provides us with consider- 
able security advantage than discrete logarithm problem in F^^. 

Lastly, I recommend that the plaintext should be an elementary transvec- 
tion. It is known that trace and determinant is invariant under matrix con- 
jugation. So the trace or the determinant can give out information about 
the plaintext. However, if it is an elementary transvection, then the trace is 
always d and the determinant 1. 

References 

[1] A. A. Albert and John Thompson, Two-element genration of the projective unimodu- 
lar group, Illionois Journal of Mathematics 3 (1959), 421-439. 

[2] J.L. Alperm and Rowen B. Bell, Groups and Representations, Springer, 1995. 

[3] Roger W. Carter, Simple groups of Lie type, John Willey & Sons, 1989. 

[4] Don Coppersmith and Shmuel Winograd, Matrix multiplication via arithmatic pro- 
gression. Proceedings of the nineteenth annual ACM conference on Theory of Com- 
puting, 1987, pp. 1-6. 

[5] Jean Dieudonne and Loo-Keng Hua, On the automorphisms of the classical groups. 
Memoirs of the American Mathematical Society (1951), no. 2. 

[6] The GAP Group, GAP - Groups, Algorithms, and Programming, Version 4.4.10, 
2007. 

[7] Stephen R Humphries, Generation of special linear groups by transvections. Journal 

of Algebra 99 (1986), 480-495. 
[8] Neal Koblitz, Alfred Menezes, and Scott Vanstone, The state of elliptic curve cryp- 
tography. Designs, Codes and Cryptogrpahy 19 (2000), 173-193. 
[9] In-Sok Lee, Woo-Hwan Kim, Daesung Kwon, Sangil Nahm, Nam-Soek Kwak, and 

Yoo-Jin Back, On the security of MOR public key cryptosystem, Asiacrypt 2004 

(P.J.Lee, ed.), LNCS, no. 3329, Springer- Verlag, 2004, pp. 387-400. 
[10] Ayan Mahalanobis, A simple generalization ofEl-Gamal cryptosystem to non-abelian 

groups. Communication in Algebra 36 (2008), no. 10, 3878-3889. 
[11] Alfred Menezes and Yi-Hong Wu, The discrete logarithm problem in GL{n, q), Ars 

Combinatorica 47 (1997), 23-32. 
[12] Seong-Hun Paeng, On the security of cryptosystem using the automorphism groups. 

Information Processing Letters 88 (2003), 293-298. 
[13] Seong-Hun Paeng, Kil-Chan Ha, Jae Heon Kim, Seongtaek Chee, and Choonsik Park, 

New public key cryptosystem using finite non-abelian groups. Crypto 2001 (J. KiUan, 

ed.), LNCS, vol. 2139, Springer- Verlag, 2001, pp. 470-485. 
[14] Joseph J. Rotman, An introduction to the theory of groups, 4 ed.. Springer- Velag, 

1994. 

18 



[15] Oliver Schirokauer, Damian Weber, and Thomas Denny, Discrete logarithm: the ef- 
fectiveness of the index calculus method, Algorithmic number theory (Talence, 1996), 
LNCS, vol. 1122, 1996, pp. 337-361. 

[16] Joseph Silverman and Joe Suzuki, Elliptic curve discrete logarithms and the index 
calculus, Asiacrypt'98 (K. Ohra and D. Pei, eds.), LNCS, vol. 1514, 1998, pp. 110- 
125. 

[17] Robert Steinberg, Automorphisms of finite linear groups, Canadian Journal of Math- 
ematics 12(1960), 606-615. 

[18] Douglas Stinson, Cryptography theory and practice, third ed.. Chapman & 
Hall/CRC, 2006. 

Department of Mathematical Sciences, Stevens Institute of Technol- 
ogy, HOBOKEN, NJ 07030 

E-mail address: Ayan .MahalanobisSstevens . edu 



19 



